2
Key Exchange w/ Symmetric Crypto 1.Desire A and B on network, sharing secret key with KDC. How??? 2.A request session key from T to talk to B. 3.T generates sess. Key, encrypts once with A’s key and once with B’s, sends both to A. 4.A decrypts her copy and sends B his copy. 5.B decrypts his copy 6.A and B use key to communicatte 7.Trent is a bottleneck and attack target.

4
Man in Middle Attack 1.A sends B her public key. Mallory intercepts it and sends B his key in place of A’s. 2.Likewise, mutatis mutandis, with B. 3.A sends msg to B. M intercepts, reads with his private key and encrypts with B’s public key and sends to B. 4.Likewise, mutatis mutandis, with A.

5
Interlock Protocol to Foil Man in the Middle 1.A, B swap public keys 2.A encrypts her msg, sends half to B 3.B does same thing, sends half a msg to A 4.A sends other half, B assembles, decrypts. 5.Likewise B to A. 6.Can send 1st half, every other byte, etc., or a “half” could be hash fn of message, next half the msg itself. 7.M can’t decrypt 1/2 msg, thus can’t send it on.

10
Dictionary Attacks and Salt 1.Unix’s one-way function is public. 2.Generate valid pws, encrypt, see if they match one in database = Dictionary Attack. 3.“Salt” is string concatenated to pw before one-way fn. It is stored with one-way fn result. (like initialization vector). 4.M then has to try each user’s salt value with each possible pw in his dictionary to get a match.

11
Dictionary Attack and Salt Continued 1.So M can’t just bash his encrypted dict against the database of encrypted pws. He has to do a dict search per user, not per database. 2.However, despite everything, dict. Atttacks on Unix are surprisingly successful. 3.Salt protects the system, not an individual user.

12
SKEY Motivation 1.Used at UR…why work thru it backwards? 2.Problem: sending password in clear over phone line. Partial answer: system must authenticate you before allowing you to try to login over phone. Your pw could still be lost.

14
Authentication with PK: Motivation 1.Problem: sending password over phone in clear, or even having it in computer, however briefly, in clear (eg before encryption). 2.So, host keeps file of public keys, user keeps private key as usual. Two protocols follow.

15
Weak PK Authentication 1.Host sends A a random string 2.A encrypts with her PK, sends back along with her name. 3.Host looks up PK by her name, decrypts. 4.If result is what host sent out, A is authenticated. 5.Not bad except for step 1. M could pretend to be host and mount chosen ciphertext attack on A.

16
Better PK Authentication 1.A performs computation using random numbers and her key, sends result to host. 2.Host sends A yet a different random no. 3.A makes more computations on all the random numbers and her key, sends to host. 4.Host does computations on everything received from A to verify she knows her own private key: if so, A’s authenticated.

17
Mutual Authentication with Interlock 1.Why believe host is who it says it is? 2.A and B have pw the other knows, PA and PB. Man in middle defeats this: 3.A encrypts PA with B’s PK and sends to B 4.B encrypts PB with A’s PK and sends to A 5.A, B decrypt, verify correctness. 6.Mallory can get in, substitute his PK for A’s (to B) and vice-v, learns pws. Interlock can help but attack can be Improved.

24
Secret Splitting and Sharing 1. Send different msg parts to diff. People, who must cooperate to read it… 2.Trent provides random string R same length as msg M. 3. T XORs M with R to generate S 4.T gives R to A and S to B. 5.A and B XOR their pieces to reconstruct M. 6.Like T has one-time pad, gives cipher to one person and pad to other.

25
Threshold Schemes 1.With hardware or computer techniques, can fix it so that message is distributed in n pieces, but any m of the n holders can reconstruct it. (m,n) threshold scheme. 2.See Text for a technical how-to.

26
Protecting Databases with Crypto 1.How fix database so you can extract the address of someone whose name you know but can’t get at everyone’s address? 2.Use one-way hash and symm. Encryption. 3.Store full name and address info encrypted by last name, along with field that is last name hashed. 4.To find record, search db for hashed name and decrypt what you find using last name.